On Aug 31, 11:24am, Bruce A. Mah wrote: } Subject: Re: FreeBSD's RST validation } } Personally, I had something a little less radical in mind. Here's some } context diffs against tcp_input.c in 2.2.7-RELEASE, which I sent to } security-officerat_private last night after some quick testing. } } Now someone can tell me why this isn't the right solution. :-) } } Bruce. } } -----8<-----snip-----8<----- } } *** tcp_input.c-dist Mon May 18 10:12:44 1998 } --- tcp_input.c Sun Aug 30 21:22:32 1998 } *************** } *** 809,815 **** } goto dropwithreset; } } } if (tiflags & TH_RST) { } ! if (tiflags & TH_ACK) } tp = tcp_drop(tp, ECONNREFUSED); } goto drop; } } } --- 809,818 ---- } goto dropwithreset; } } } if (tiflags & TH_RST) { } ! if ((tiflags & TH_ACK) && } ! /* XXX outside window? XXX */ } ! (SEQ_GT(ti->ti_ack, tp->iss) && } ! SEQ_LEQ(ti->ti_ack, tp->snd_max))) } tp = tcp_drop(tp, ECONNREFUSED); } goto drop; } } As more data is sent across the connection, the wider the window for a spoofed RST opens. Once you send 2 GB, legitimate RSTs no longer work. You should probably be comparing against tp->snd_una instead of tp->iss. } *************** } *** 1147,1152 **** } --- 1150,1159 ---- } case TCPS_FIN_WAIT_1: } case TCPS_FIN_WAIT_2: } case TCPS_CLOSE_WAIT: } + /* XXX outside window? XXX */ } + if (SEQ_GEQ(ti->ti_seq, tp->rcv_nxt + tp->rcv_wnd) || } + SEQ_LT(ti->ti_seq, tp->rcv_nxt)) } + goto drop; } so->so_error = ECONNRESET; } close: } tp->t_state = TCPS_CLOSED;
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:14:38 PDT